in progress nuke

Author: handsdiff

.detect-secrets.cfg

@@ -7,10 +7,6 @@
 [exclude-files]
 # pnpm lockfiles contain lots of high-entropy package integrity blobs.
 pattern = (^|/)pnpm-lock\.yaml$
-# Generated output and vendored assets.
-pattern = (^|/)(dist|vendor)/
-# Local config file with allowlist patterns.
-pattern = (^|/)\.detect-secrets\.cfg$
 
 [exclude-lines]
 # Fastlane checks for private key marker; not a real key.
@@ -28,3 +24,22 @@ pattern = "talk\.apiKey"
 pattern = === "string"
 # specific optional-chaining password check that didn't match the line above.
 pattern = typeof remote\?\.password === "string"
+# Docker apt signing key fingerprint constant; not a secret.
+pattern = OPENCLAW_DOCKER_GPG_FINGERPRINT=
+# Credential matrix metadata field in docs JSON; not a secret value.
+pattern = "secretShape": "(secret_input|sibling_ref)"
+# Docs line describing API key rotation knobs; not a credential.
+pattern = API key rotation \(provider-specific\): set `\*_API_KEYS`
+# Docs line describing remote password precedence; not a credential.
+pattern = passw[o]rd: `OPENCLAW_GATEWAY_PASSW[O]RD` -> `gateway\.auth\.passw[o]rd` -> `gateway\.remote\.passw[o]rd`
+pattern = passw[o]rd: `OPENCLAW_GATEWAY_PASSW[O]RD` -> `gateway\.remote\.passw[o]rd` -> `gateway\.auth\.passw[o]rd`
+# Test fixture starts a multiline fake private key; detector should ignore the header line.
+pattern = const key = `-----BEGIN PRIVATE KEY-----
+# Docs examples: literal placeholder API key snippets and shell heredoc helper.
+pattern = export CUSTOM_API_K[E]Y="your-key"
+pattern = grep -q 'N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache' ~/.bashrc \|\| cat >> ~/.bashrc <<'EOF'
+pattern = env: \{ MISTRAL_API_K[E]Y: "sk-\.\.\." \},
+pattern = "ap[i]Key": "xxxxx",
+pattern = ap[i]Key: "A[I]za\.\.\.",
+# Sparkle appcast signatures are release metadata, not credentials.
+pattern = sparkle:edSignature="[A-Za-z0-9+/=]+"

.github/FUNDING.yml

@@ -76,6 +76,37 @@ body:
       label: Install method
       description: How OpenClaw was installed or launched.
       placeholder: npm global / pnpm dev / docker / mac app
+  - type: input
+    id: model
+    attributes:
+      label: Model
+      description: Effective model under test.
+      placeholder: minimax/text-01 / openrouter/anthropic/claude-opus-4.1 / anthropic/claude-sonnet-4.5
+    validations:
+      required: true
+  - type: input
+    id: provider_chain
+    attributes:
+      label: Provider / routing chain
+      description: Effective request path through gateways, proxies, providers, or model routers.
+      placeholder: openclaw -> cloudflare-ai-gateway -> minimax
+    validations:
+      required: true
+  - type: input
+    id: config_location
+    attributes:
+      label: Config file / key location
+      description: Optional. Relevant config source or key path if this bug depends on overrides or custom provider setup. Redact secrets.
+      placeholder: ~/.openclaw/openclaw.json ; models.providers.cloudflare-ai-gateway.baseUrl ; ~/.openclaw/agents/<agentId>/agent/models.json
+  - type: textarea
+    id: provider_setup_details
+    attributes:
+      label: Additional provider/model setup details
+      description: Optional. Include redacted routing details, per-agent overrides, auth-profile interactions, env/config context, or anything else needed to explain the effective provider/model setup. Do not include API keys, tokens, or passwords.
+      placeholder: |
+        Default route is openclaw -> cloudflare-ai-gateway -> minimax.
+        Previous setup was openclaw -> cloudflare-ai-gateway -> openrouter -> minimax.
+        Relevant config lives in ~/.openclaw/openclaw.json under models.providers.minimax and models.providers.cloudflare-ai-gateway.
   - type: textarea
     id: logs
     attributes:

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -5,10 +5,7 @@ self-hosted-runner:
   labels:
     # Blacksmith CI runners
     - blacksmith-8vcpu-ubuntu-2404
-    - blacksmith-8vcpu-windows-2025
     - blacksmith-16vcpu-ubuntu-2404
-    - blacksmith-16vcpu-windows-2025
-    - blacksmith-32vcpu-windows-2025
     - blacksmith-16vcpu-ubuntu-2404-arm
 
 # Ignore patterns for known issues

.github/actionlint.yaml

@@ -0,0 +1,47 @@
+name: Ensure base commit
+description: Ensure a shallow checkout has enough history to diff against a base SHA.
+inputs:
+  base-sha:
+    description: Base commit SHA to diff against.
+    required: true
+  fetch-ref:
+    description: Branch or ref to deepen/fetch from origin when base-sha is missing.
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: Ensure base commit is available
+      shell: bash
+      env:
+        BASE_SHA: ${{ inputs.base-sha }}
+        FETCH_REF: ${{ inputs.fetch-ref }}
+      run: |
+        set -euo pipefail
+
+        if [ -z "$BASE_SHA" ] || [[ "$BASE_SHA" =~ ^0+$ ]]; then
+          echo "No concrete base SHA available; skipping targeted fetch."
+          exit 0
+        fi
+
+        if git rev-parse --verify "$BASE_SHA^{commit}" >/dev/null 2>&1; then
+          echo "Base commit already present: $BASE_SHA"
+          exit 0
+        fi
+
+        for deepen_by in 25 100 300; do
+          echo "Base commit missing; deepening $FETCH_REF by $deepen_by."
+          git fetch --no-tags --deepen="$deepen_by" origin "$FETCH_REF" || true
+          if git rev-parse --verify "$BASE_SHA^{commit}" >/dev/null 2>&1; then
+            echo "Resolved base commit after deepening: $BASE_SHA"
+            exit 0
+          fi
+        done
+
+        echo "Base commit still missing; fetching full history for $FETCH_REF."
+        git fetch --no-tags origin "$FETCH_REF" || true
+        if git rev-parse --verify "$BASE_SHA^{commit}" >/dev/null 2>&1; then
+          echo "Resolved base commit after full ref fetch: $BASE_SHA"
+          exit 0
+        fi
+
+        echo "Base commit still unavailable after fetch attempts: $BASE_SHA"

.github/actions/ensure-base-commit/action.yml

@@ -0,0 +1,18 @@
+name: openclaw-codeql-javascript-typescript
+
+paths:
+  - src
+  - extensions
+  - ui/src
+  - skills
+
+paths-ignore:
+  - apps
+  - dist
+  - docs
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"

.github/codeql/codeql-javascript-typescript.yml

@@ -49,38 +49,6 @@ updates:
           - patch
     open-pull-requests-limit: 5
 
-  # Swift Package Manager - macOS app
-  - package-ecosystem: swift
-    directory: /apps/macos
-    schedule:
-      interval: daily
-    cooldown:
-      default-days: 2
-    groups:
-      swift-deps:
-        patterns:
-          - "*"
-        update-types:
-          - minor
-          - patch
-    open-pull-requests-limit: 5
-
-  # Swift Package Manager - shared MoltbotKit
-  - package-ecosystem: swift
-    directory: /apps/shared/MoltbotKit
-    schedule:
-      interval: daily
-    cooldown:
-      default-days: 2
-    groups:
-      swift-deps:
-        patterns:
-          - "*"
-        update-types:
-          - minor
-          - patch
-    open-pull-requests-limit: 5
-
   # Swift Package Manager - Swabble
   - package-ecosystem: swift
     directory: /Swabble
@@ -97,22 +65,6 @@ updates:
           - patch
     open-pull-requests-limit: 5
 
-  # Gradle - Android app
-  - package-ecosystem: gradle
-    directory: /apps/android
-    schedule:
-      interval: daily
-    cooldown:
-      default-days: 2
-    groups:
-      android-deps:
-        patterns:
-          - "*"
-        update-types:
-          - minor
-          - patch
-    open-pull-requests-limit: 5
-
   # Docker base images
   - package-ecosystem: docker
     directory: /

.github/dependabot.yml

@@ -115,22 +115,6 @@
           - "extensions/zalouser/**"
           - "docs/channels/zalouser.md"
 
-"app: android":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "apps/android/**"
-          - "docs/platforms/android.md"
-"app: ios":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "apps/ios/**"
-          - "docs/platforms/ios.md"
-"app: macos":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "apps/macos/**"
-          - "docs/platforms/macos.md"
-          - "docs/platforms/mac/**"
 "app: web-ui":
   - changed-files:
       - any-glob-to-any-file:

.github/labeler.yml

@@ -87,6 +87,13 @@ What you personally verified (not just CI), and how:
 - Edge cases checked:
 - What you did **not** verify:
 
+## Review Conversations
+
+- [ ] I replied to or resolved every bot review conversation I addressed in this PR.
+- [ ] I left unresolved only the conversations that still need reviewer or maintainer judgment.
+
+If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.
+
 ## Compatibility / Migration
 
 - Backward compatible? (`Yes/No`)

.github/pull_request_template.md

@@ -35,6 +35,7 @@ jobs:
           github-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
           script: |
             // Labels prefixed with "r:" are auto-response triggers.
+            const activePrLimit = 10;
             const rules = [
               {
                 label: "r: skill",
@@ -48,6 +49,21 @@ jobs:
                 message:
                   "Please use [our support server](https://discord.gg/clawd) and ask in #help or #users-helping-users to resolve this, or follow the stuck FAQ at https://docs.openclaw.ai/help/faq#im-stuck-whats-the-fastest-way-to-get-unstuck.",
               },
+              {
+                label: "r: no-ci-pr",
+                close: true,
+                message:
+                  "Please don't make PRs for test failures on main.\n\n" +
+                  "The team is aware of those and will handle them directly on the codebase, not only fixing the tests but also investigating what the root cause is. Having to sift through test-fix-PRs (including some that have been out of date for weeks...) on top of that doesn't help. There are already way too many PRs for humans to manage; please don't make the flood worse.\n\n" +
+                  "Thank you.",
+              },
+              {
+                label: "r: too-many-prs",
+                close: true,
+                message:
+                  `Closing this PR because the author has more than ${activePrLimit} active PRs in this repo. ` +
+                  "Please reduce the active PR queue and reopen or resubmit once it is back under the limit. You can close your own PRs to get back under the limit.",
+              },
               {
                 label: "r: testflight",
                 close: true,
@@ -246,6 +262,8 @@ jobs:
             };
 
             const triggerLabel = "trigger-response";
+            const activePrLimitLabel = "r: too-many-prs";
+            const activePrLimitOverrideLabel = "r: too-many-prs-override";
             const target = context.payload.issue ?? context.payload.pull_request;
             if (!target) {
               return;
@@ -375,6 +393,7 @@ jobs:
             }
 
             const invalidLabel = "invalid";
+            const spamLabel = "r: spam";
             const dirtyLabel = "dirty";
             const noisyPrMessage =
               "Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.";
@@ -411,6 +430,21 @@ jobs:
                 });
                 return;
               }
+              if (labelSet.has(spamLabel)) {
+                await github.rest.issues.update({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: pullRequest.number,
+                  state: "closed",
+                });
+                await github.rest.issues.lock({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: pullRequest.number,
+                  lock_reason: "spam",
+                });
+                return;
+              }
               if (labelSet.has(invalidLabel)) {
                 await github.rest.issues.update({
                   owner: context.repo.owner,
@@ -422,6 +456,23 @@ jobs:
               }
             }
 
+            if (issue && labelSet.has(spamLabel)) {
+              await github.rest.issues.update({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: issue.number,
+                state: "closed",
+                state_reason: "not_planned",
+              });
+              await github.rest.issues.lock({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: issue.number,
+                lock_reason: "spam",
+              });
+              return;
+            }
+
             if (issue && labelSet.has(invalidLabel)) {
               await github.rest.issues.update({
                 owner: context.repo.owner,
@@ -433,6 +484,10 @@ jobs:
               return;
             }
 
+            if (pullRequest && labelSet.has(activePrLimitOverrideLabel)) {
+              labelSet.delete(activePrLimitLabel);
+            }
+
             const rule = rules.find((item) => labelSet.has(item.label));
             if (!rule) {
               return;